How far do you trust an unknown USB Stick?

Suppose there was an unknown USB stick, waiting to be found in your parking lot. Perhaps this would scare you enough to disable autorun throughout your domain (you’ve done that right)? Now imagine if someone gave one of your users a USB device which was connected to a workstation on your network and in turn your network was compromised. How would you explain that?

I don’t know if this is a new idea but the thought came to be while listening to the Pilot episode of the Securabit Podcast, thanks to Martin for pointing to the Podcast. In this episode they talk about YubiKey. The YubiKey is a USB authentication solution, when you plug in the YubiKey (usb device) to your computer it is recognized as a USB keyboard. It has one button and when pressed it enters a onetime password. I won’t go into any details but if you’re interested you can watch a one minute video on the YubiKey site or listen to the Securabit Podcast.

The product got me thinking, what if someone were to make a device that looks like a usb stick but in fact is a USB keyboard just like the YubiKey. However instead of being programmed to enter a random password string it was made to enter a malicious string of characters. For example an attacker might choose to target a Windows box with these characters.

This would install a trojan on the target computer (assuming the user is allowed to runt tftp) simply because the device was connected to the computer.

This shouldn’t be a great threat and this attack in particular would be mitigated by just locking the screen. However it still doesn’t hurt to have respect for the unknown and I’d stay away from those USB sticks found in the parking lot.